Submission Details
Severity:
Double use of referral code
## Summary
Registration of referral code twice by different EOA
## Vulnerability Details
If a first timer EOA calls `VaultRouterBranch::deposit` directly to deposit a given amount of collateral assets into the
provided vault in exchange for index tokens, during this deposition a referral code is registered if the referral code is not
custom. During the referral code registration, an external call is made to `Referral::registerReferral` which is channel
through the interface `IReferral::registerReferral`.
However, another first timer EOA can call `VaultRouterBranch::deposit` with with the same `referralCode` and successfully
register the `referralCode` since there is no check if the `referralCode` has been used by someone else.
The only check `Referral::registerReferral` enforce is if a referrer alreadt has a referral.
## Impact
Registration of the same refferal code by different EOA.
## Recommendations
Add a mapping to keep tracked of registered referral codes in `ReferralConfiguration::Data` to check the list of registered
referral codes and enforce a check in `Referral::registerReferral` to prevent double registration of code.
In `ReferralConfiguration.sol`:
```diff
library ReferralConfiguration {
/// @notice ERC7201 storage location.
bytes32 internal constant REFERRAL_LOCATION = keccak256(
abi.encode(uint256(keccak256("fi.zaros.referral.ReferralConfiguration")) - 1)
) & ~bytes32(uint256(0xff));
/// @notice {Referral} namespace storage structure.
/// @param referralCode ABI encoded referral code, may be a string or address.
/// @param isCustomReferralCode True if the referral code is a custom referral code.
struct ConfigurationData {
bytes referralCode;
bool isCustomReferralCode;
}
struct Data {
mapping(bytes referrer => ConfigurationData configurationData) listOfReferrals;
+ mapping(bytes referralCode => bool picked) listOfRegisteredCodes;
}
```
In `Referral::registerReferral`:
```diff
+ error CodeAlreadyUsed();
.
.
function registerReferral(
bytes calldata referrerCode,
address referrerAddress,
bytes calldata referralCode,
bool isCustomReferralCode
)
external
onlyRegisteredEngines
{
// load the referral configuration from storage
ReferralConfiguration.Data storage referralConfiguration = ReferralConfiguration.load(msg.sender);
// revert if the referrer already has a referral
if (verifyIfUserHasReferral(referrerCode)) {
revert ReferralAlreadyExists();
}
if (referralCode.length != 0) {
// verify if the referral code is a custom referral code
if (isCustomReferralCode) {
// load the custom referral configuration from storage
CustomReferralConfiguration.Data storage customReferral =
CustomReferralConfiguration.load(string(referralCode));
// revert if the custom referral code is not valid
address referrerCache = customReferral.referrer;
if (referrerCache == address(0) || referrerCache == referrerAddress) {
revert InvalidReferralCode();
}
// set the custom referral code flag
referralConfiguration.listOfReferrals[referrerCode].isCustomReferralCode = true;
} else {
// revert if the referral code decoded is the same as the referrer address
if (referrerAddress == abi.decode(referralCode, (address))) {
revert InvalidReferralCode();
}
// set the custom referral code flag
referralConfiguration.listOfReferrals[referrerCode].isCustomReferralCode = false;
+ if(referralConfiguration.listOfRegisteredCodes[referralCode]) {
+ revert CodeAlreadyUsed();
+ }
}
// set the referral code
referralConfiguration.listOfReferrals[referrerCode].referralCode = referralCode;
+ referralConfiguration.listOfRegisteredCodes[referralCode] = true;
// emit the LogReferralSet event
emit LogReferralSet(msg.sender, referrerCode, referrerAddress, referralCode, isCustomReferralCode);
}
}
```
Prize pool breakdown
Total prize
70,000 USDC
nSLOC
3,25821
USDC / LOC
66,500
3,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.